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Commissioner for Patents 
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Alexandria, VA 22313-1450 



BRIEF OF APPELLANT 



This Appeal Brief, pursuant to the Notice of Appeal filed July 21. 2005, is an appeal 
from the rejection ofthe Examiner in the Office Action dated May 3, 2005. 



REAL PARTY IN INTEREST 

International Business Machines, Inc. is the real party in interest. 

09/22/2005 AKELECH1 00000011 090457 09851286 
01 FC:1402 500.00 DA 

RELATED APPEALS AND INTERFERENCES 

None. 

09/2172005 mmt 00000007 09945?- 0JBS3fl6 

OLBstlSBI 50fc00=»ft STATUS OF CLAIMS 

Claims 1 -4, 9 and 13-29 are rejected. Claims 5-8 and 10-12 arc canceled. This Appeal 
Brief is in support of an appeal from the rejection of claims 1-4, 9 and 13-29. 
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STATUS OF AMENDMENTS 

There arc no After-Final Amendments which have not been entered. 



SUMMARY OF CLAIMED SUBJECT MATTER 

The present invention provides a method of operating an intrusion detection system for 
detecting an intrusion of a protected network attachment according to at least one business rule. 
See specification, page 6, lines 4-6; page 7, lines 1-9. An occurrence of a next update time of 
the intrusion detection system is awaited, said next update time being a time at which at least one 
validity condition of the at least one business rule is checked. Responsive to the occurrence of 
the next update time, the at least one validity condition of the at least one business rule is 
checked to determine whether a provision of any business rule of the at least one business rule is 
a newly operative provision that has first become operative or gone into effect since an 



occurrence 



c of a last previous updato time at which the at least one validity condition of the at 



least one business rule was checked. The newly operative provision prescribes an alteration of an 
intrusion set that the provision applies to. If the checked provision is the newly operative 
provision that applies to the intrusion set, then the intrusion set is altered according to the newly 
operative provision. See specification, page 12, lino 12 - page 13, line 19. 

The validity condition may be a temporal validity condition. Sec specification, page 1 0, 

line 15 -page 11, line 4. 

The validity condition may be a network validity condition. See specification, page 13, 

lines 5-16. 
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The validity condition may includes a multiple temporal specification, a multiple 
network-descriptive specification, or a multiple temporal specification and a multiple network- 
descriptive specification. Sec specification, page 13, lines 17-10. 

Altering the intrusion set may include: altering a signature of the intrusion set; a threshold 
of the intrusion set; altering an action of the intrusion set; altering a weight of the intrusion set. 

Sec specification, page 12, lines 3-7.. 

The update time may be: a scheduled time; one of a plurality of update times that occur 
substantially periodically; a computed update time. See specification, page 12, lines 14-1 8. 

The protected network attachment may comprise a computer, a server, a workstation, or a 
combination thereof. Sec specification, page 6, lines 8-9. 



GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

1. Claims 1-4, 9, 14-25 and 27-29 stand rejected under 35 U.S.C. § 102(c) as allegedly being 
anticipated by US Patent Publication No. 2002/0112185 At to Hodges. 



2. Claims 13 and 16 stand rejected under 35 U.S.C. §103(a) as allegedly being unpatentable over 
Hodges (US Publication No. 2002/0112185 Al) in view ofUS Patent No. 6,167,520 to Touboul. 
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ARGUMENT 

r.ROiiN n of RK.TKC TIQSLL 

Claims 1-4, 9, 14-25 and 27-29 stand rejected under 35 U.S.C. § 102(e) as allegedly being 



an 



ticipatcd by US Patent Publication No. 2002/01 121 85 Al to Hodges. 



Claim 1 



Appellants respectfully contend that Hodges does not anticipate claim 1 , because Hodges 
does nol Loach each and every feature of claim 1 . 



A first reason why Hodges does not anticipate claim 1 is that Hodges docs not teach the 
feature: "awaiting an occurrence of a next updalc time or the intrusion detection system, 
said next update time being a time at which at least one validity condition of the at least one 

business rule is checked" (emphasis added). 

The Uxomincr argues (in "Response to Arguments"): "Hodges does teach of waiting for 
next update time at which one validity condition is checked sec Par 0012 & Par 0014 & Par 



an 



0132". 



In response, Appellants respectfully contend Hodges, Pars. 0012 and 0014 merely 
discloses detection of an access system event, and most certainly does not disclose "awaiting an 
occurrence of a next update time of the intrusion detection system". Furthermore, Hodges, Par. 
0132 merely discloses "timing conditions restricting the lime when the authorization rule is in 
effect", and Hodges, Par. 01 32 does not disclose update limes when the validity conditions of flic 
at least one business rule is checked, as required by claim I . In addition. Hodges, Par. 0132 
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discusses liming conditions in conjunction with application of an authorization rule, and most 
certainly docs not disclose "awaiting an occurrence of a next update time of the intrusion 
detection system". In other words, Hodges does not teach use of an update lime and awaiting an 

occurrence of the update time. 

In the Advisory Action mailed 07/1 9/2005, the Examiner argues: -Hodges discloses the 
timing conditions where validity condition is checked see Par. 0132". In response, Appellants 
assert thai Hodges, Par. 0 1 32 docs not disclose update times where a validity condition is 
checked. Moreover, a teaching of update times where cv validity condition is checked is not a 
teaching of "awaiting an occurrence of ancxt update limcof the intrusion detection system". 



A second reason why Hodges docs not anticipate claim 1 is that llodgcs does not teach 
the feature: "responsive to Ihc occurrence of the next update time, checking the at least one 
validity condition of the at least one business rule to determine whether a provision of any 
business rule of the at least one business rule is a newly operative provision that has first 
become operative or gone into effect since an occurrence of a last previous update time at 
which the at least one validity condition of the at least one business rnlc was checked, said 
newly operative provision prescribing an alteration of an intrusion set thai the provision applies 
to" (emphasis added). 

The Examiner argues (in "Response to Arguments"): "And further is responsive to the 
occurrence of a business rale see Par 0015 & Abstract; also Hodges discloses of adding to the 
intrusion set and checking to see if it is new by comparing the rule with the cache and further 
retrieving form Directory sec Tar 0220 & Par 0221 . Hodges talks of monitoring for an 
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cvcnl(waiting for an event) and in addition he says that it could bo any suitable cvcnt(includcs 

lime) sec Par 001 3-00 1 5." 

In response, Appellants maintain that none of the Examiner's citations indicate checking 
the at least one validity condition of the at least one business rule responsive to the occurrence 

of the next update time. 

In further response, Appellants that the Examiner has incorrectly interpreted Hodges, 
Pars. 0220-0221 . The Examiner alleges: "I lodges discloses of adding to the intrusion set and 
checking to see i f it is new by comparing the rule with the cache and further retrieving form 
Directory sec Par 0220 & Par 0221", which is incorrect. Appellants assert that Hodges, Par. 
0220 merely checks the authorization rule cache 572 for the existence therein of authorization 
rules associated with a requested resource. Hodges, Pars. 0220-0221 does not perform checking 
to see if the rule is "new" (i.e., "a newly operative provision that has first become operative or 
gone into effect since an occurrence of a last previous update time at which the at least one 
validity condition of the at least one business rule was checked"). 



A third reason why Hodges docs not anticipate claim 1 is that Hodges docs not teach the 
fcaUuo: "if the checked provision is the newly operative provision that applies to the intrusion 



set, then altering the intrusion set according to the newly operative provision" 

The Examiner argues that Hodges teaches the preceding feature of claim 1 in Pars. 0200 
0201. In response, Appellants contend that Hodges, Pars. 0220-0221 merely leaches: "In step 
1 494, authorization module 542 determines whether one or more authorization rules associated 
with the rcqucsled resource are found in authorization rule cache 572. If one or more rules are 
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found, authorization module 542 proceeds to step 1496." Appellants note that step 1496 of FIG. 
38 "reads the first authorization rule associalcd with the requested resource from authorization 
rule cache 572", which is not an altering of an intrusion set as alleged by the Examiner. 

The Examiner also argues that Hodges teaches the preceding feature of claim 1 in the 
Abstract, hi response, Appellants contend that Hodges' Abstract recites: "The system detects an 
access system event in the access system and determines whether the access system event is of a 
type (hat is being monitored. If the access system event is of a type that is being monitored, the 
system reports information about the access system event. This information can he used by a 
rules engine or other process to determine if the access system event was part of an attempted 
intrusion of the access system. which is not a teaching of an altering of an intrusion set as 
alleged by the Examiner. 



Based on Ihc preceding arguments, Appellants respectfully maintain that Hodges docs not 
anticipate claim I, and that claim 1 is in condition for allowance. 



Hlnims 2. 4. an d 20-22 . 

Since claims 2, 4, and 20-22 depend from claim 1 . which Appellants have argued supra 
to not be anticipated by Hodges under 35 U.S.C. §102(3), Applicants Appellants that 2, 4, and 
20-22 are likewise not anticipated by Hodges under 35 U.S.C. §1 02(3). 



Cl aim 3 

Since claims 3 depends from olaim 1 , which Appellants have argued supra to not be 
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anticipated by Hodges under 35 U.S.C. §102(c), Applicants Appellants that claim 3 is likewise 
not anticipated by Hodges under 35 U.S.C. § 102(c). 

Tn addition with respect to claim 3, Hodges docs not teach "wherein the validity condition 
is a network validity condition". Appellants maintain that the Examiner's citation of Hodges, 
Par. 0008 merely discusses prior art and docs not state anything about Hodges 4 invention that the 
Examiner relics on. Moreover, the content in Hodges, Par. 0008 docs not teach a network 
validity condition of a business rule used in conjunction with an intrusion detection system, as 
required by claim 3, 



Cl aims 2 3-25 

Since claims 23-25 depend from claim 1, which Appellants have argued supra to not be 
anticipated by Hodges under 35 U.S.C. §1 02(e), Applicants Appellants that claim 23-25 are 
likewise not anticipated by Hodges under 35 U.S.C. §1 02(e). 

In addition with respect to claims 23-25, Hodges docs not teach "wherein the next update 
Lime is a scheduled lime" (claim 23); "wherein the next update time is one update time of a 
plurality of update times that occur substantially periodically" (claim 24); and, wherein the next 
update time is a computed update time" (claim 25). The Examiner's citation of Hodges, Par. 
0132 is not persuasive, because Hodges, Par. 0132 discloses "timing conditions restricting the 
time when the authorization rule is in elTccf , and Hodges, Par. 0132 docs not disclose update 
times when the validity conditions of the at least one business rule is checked, as required in 
claims 23-25. In other words, "times when the authorization rule is in effect" arc not the same as 
update times when the validity conditions arc checked. 
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Claims 27-29 

Since cl aims 27-29 depend from claim 1, which Appellants have argued supra to not bo 
anticipated by Hodges under 35 U.S.C. §102(c), Applicant Appellants that claim 27-29 arc 
likewise not anticipated by Hodges under 35 U.S.C. § 102(e). 

In addition with respect to claims 27-29, Hodges docs not teach that the step of altering 
the intrusion set includes the step of altering: a threshold of the intrusion set (claim 27); an action 
of the intrusion set (claim 28); and a weight of the intrusion set (claim 29). The Examiner's 
citation of Hodges, Pars. 0107 and 0131 do not teach the preceding features of claims 27-29. 

f lodges, Par. 0107 merely recites: "A policy can identify pcrson(s) who can modify the 
attribute. The policy can identify a set of people by identifying a role, by identifying a rule for 
identifying people, by identifying one or more people directly by name, or by identifying a named 
group", which docs not leach any of the preceding features of claims 27-29. 

Hodges, Par. 013 Imcrely recites: "In step 614, zero or more policies are added to the 
policy domain. In slcp 616, the data for the policy domain is stored in Directory Server 36 and 
appropriate caches (optional) arc updated", which docs not teach any of the preceding features of 
claims 27-29, 



ClajmS 

Appellants respectfully contend that Hodges does not anticipate claim 9, because Hodges 
docs not teach each and every feature of claim 9. 



A first reason why Hodges docs not anticipate claim 9 is that Hodges docs not teach the 
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feature: "awaiting an update lime of the intrusion detection system," (emphasis added). 

The Examiner argues (in "Response to Arguments"): "Hodges does teach of waiting for 
an next update time at which one validity condition is checked see Par 0012 & Par 0014 & Par 
0132". 

in response, Appellants respectfully contend Hodges, Pars. 001 2 and 001 4 merely 
discloses detection of an access system event, and most certainly does not disclose "awaiting an 
occurrence of an update time or the intrusion detection system". Furthermore, Hodges, Par. 0 132 
merely discloses "timing conditions restricting] the lime when the authorization rule is in effect", 
and Hodges, Par. 0132 docs not disclose update times when the validity conditions of the at least 
one business rule is checked, as required by claim 9. In addition, Hodges, Par. 0132 discusses 
timing conditions in conjunction with application of an authorization rule, and most certainly 
docs not disclose "awaiting an occurrence of a next update lime of the intrusion detection 
system". In other words, Hodges docs not teach use of an update time and awaiting an 
occurrence of the update time. 



A second reason why Hodges does not anticipate claim 9 is that Hodges docs not teach 
the feature: "responsive to the occurrence of an update time, checking validity conditions of 
the set of business rules to determine whether a provision of any of the set of business rules is a 
newly operative provision" (emphasis added). 

The Examiner argues (in "Response to Arguments"): "And further is responsive to the 
occurrence of a business rule sec Par 0015 & Abstract; also Hodges discloses of adding to the 
intrusion set and checking to sec if it is new by company the rule with the cache and further 
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retrieving form Directory see Par 0220 & Par 0221 . Hodges talks of monitoring for an 
evcnt(waiting Tor an event) and in addition he says that it could bo any suitable cvcnt(ineludcs 

time) sec Par 0013-0015." 

In response, Appellants maintain thaL none of the Examiner's citations indicate checking 
validity conditions of the set of business rules responsive to the occurrence of the an update 
time. 

In further response, Applicants that the Examiner has incorrectly interpreted Hodges, 
Pars. 0220-0221 . The Examiner alleges: "Hodges discloses of adding to the intrusion set and 
checking to see if it is new by comparing the rule with the cache and further retrieving form 
Directory see Par 0220 & Par 0221", which is incorrect. Appellants assert that Hodges, Par. 
0220 merely checks the authorization rule cache 572 for the existence therein of authorization 
rules associated with a requested resource. Hodges, Pars. 0220-0221 docs not perform cheeking 
to see if the rule is "new" (i.e., "a newly operative provision"). Appellants respectively request 
that the Examiner explain with clarity where Hodges allegedly teaches said checking to sec if the 
at least one validity condition is a newly operative provision as recited in claim 9. 



A third reason why Hodges docs not anticipate claim 9 is that Hodges docs not teach the 
feature: "if the new provision applies to the intrusion set, altering the intrusion set according to 

the newly operative provision". 

The Examiner argues that Hodges teaches the preceding feature of claim 9 in Pars. 0200- 
0201. In response, Appellants contend that Hodges, Pars. 0220-0221 merely teaches: "In step 
1494, authorization module 542 determines whether one or more authorization rules associated 
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Willi the requested resource are found in authorization rule cache 572. If one or more rules arc 
found, authorization module 542 proceeds to step 1496." Appellants nolo that slop 1496 of FIG. 
38 "reads the first authorization rule associated with the requested resource from authorization 
rule cache 572", which is not an altering of an intrusion set as alleged by the Examiner. 

The Examiner also argues that Hodges teaches the preceding feature of claim 9 in the 
Abstract. In response, Appellants contend that Hodges' Abstract recites: "The system detects an 
access system event in the access system and determines whether the access system event is of a 
typo that is being monitored. If the access system event is of a type that is being monitored, the 
system reports information about the access system event. This information can be used by a 
rules engine or other process to determine if the access system event was part of an attempted 
intrusion of the access system", which is not a teaching of an altering of an intrusion set as 
alleged by the Rxainincr. 



Based on the preceding arguments, Appellants respectfully maintain lhat Hodges does not 
anticipate claim 9, and that claim 9 is in condition for allowance. 



r.lajrp.s 14-16 

Since claims 1 4-1 6 depend from claim 9, which Appellants have argued supra to not be 
anticipated by Hodges under 35 U.S.C. §102(c), Applicants Appellants that claim 14-16 are 
likewise not anticipated by Hodges under 35 U.S.C. §l02(e). 

In addition with respect to claims 14-16, Hodges does not teach that the step of altering 
Ihc intrusion set includes the step of altering: a threshold of the intrusion set (claim 14); an action 



09/851,286 12 



PAGE 14/26 * RCVD AT 9/2012005 2:07:59 PM [Eastern Daylight Time] ' SVR:USPTO-EFXRF-6/36 ' DNIS:2733300 » CSID: * DURATION (mm-ss):1440 



SEP-20-05 TUE 01:41 PM FAX NO. P. 15 



of the intrusion set (claim 15); and a weight of the intrusion set (claim 16). The Examiner's 
citation of Hodges, Pars. 0107 and 013 1 do not teach the preceding features of claims 14-1 6. 

Hodges, Par. 0107 merely recites: "A policy can identify pcrson(s) who can modify the 
attribute. The policy can identify a set of people by identifying a role, by identifying a rule for 
identifying people, by identifying one or more people directly by name, or by identifying a named 
group", which docs not teach any of the preceding features of claims 14-16. 

Hodges, Par. 01 31mcrcly recites: "In step 614, zero or more policies arc added to the 
policy domain. In step 616, the data for the policy domain is stored in Directory Server 36 and 
appropriate caches (optional) are updated", which docs not teach any of the preceding features of 
claims 14-16. 



planus 17-19 

Since claims 1 7-1 9 depend from claim 9, which Appellants have argued supra to not be 
anticipated by Hodges under 35 U.S.C. §1 02(e), Applicants Appellants that claim 17-19 are 
likewise not anticipated by Hodges under 35 U.S.C. §102(c). 

In addition with respect to claims 17-1 9, Hodges does not leach "wherein the update time 
is a scheduled time" (claim 17); "wherein the update time is one update time of a plurality of 

t 

update times that occur substantially periodically" (claim 18); and, wherein the update time is a 
computed update time" (claim 19). The Examiner's citation of Hodges, Par. 0132 is not 
persuasive, because Hodges, Par. 0132 discloses "tuning conditions restricting] the time when 
the authorization rule is in effect", and Hodges, Par. 01 32 does not disclose update times when 
the validity conditions of the at least one business rule is checked as required in claims 1 7-19. In 
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other words, "limes when the authorization rule is in effect" arc not the same as update times 
when the validity conditions are checked. 
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figmn qn of reject ion 2 

Claims 13 and 16 stand rejected under 35 U.S.C. § 103(a) as allegedly being unpatentable 



over 



Hodges (US Publication No. 2002/01 12185 Al) in view of US Patent No. 6,167,520 lo 



Touboul. 



Since claim 13 depends from claim 9 which Appellants have argued supra to not be 
anticipated by Hodges, Appellants contend that claim 1 3 is not unpatentable over Hodges in view 
ofTouboul under 35 U.S.C. §103(a). 

Since claim 26 deponds from claim 1 which Appellants have argued supra to not be 
anticipated by Hodges, Appellants contend that claim 26 is not unpatentable over Hodges in view 
of Touboul under 35 U.S.C. § 103(a) 



In addition with respect to claims 13 and 26, Appellants respectfully contend that Hodges 
docs not teach or suggest the feature: "wherein the step of altering the intrusion set includes the 
step of altering a signature of the intrusion set". 

The Bxamincr argues: "Hodges docs not disclose the step of altering a signature of the 
intrusion set. However, Touboul docs suggest the altering of signature as Downloadables arc 
stamped with an signature and further different downloads having dif Icrcnt signature sec Col I 
Line 52-64. It would be obvious to one having ordinary skill in the art at the time of the invention 
to include a step of altering an signature of the intrusion scl in order for protecting data from 

hostile agents see Column 1 Line 62-63." 

In response, Appellants respectfully contend that the Examiner's argument is not 
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persuasive, because Touboul, col. 1, lines S2-64 does not suggest altering a digital signature of 
Downloadable*. In fact, Touboul, col. 1, lines 62-63 states that "a digital signature docs not 
guarantee that a Downloadable is harmless". While Touboul col. I, lines 63-64 states lhat "a 
system and method are needed for protecting clients from hostile Downloadables", Touboul does 



not 



teach or suggest lhat altering a digital signature will protect clients from hostile 



Downloadables." 

Accordingly, Appellants maintain that the Examiner has not established optima facie 
case of obviousness in relation to claims 13 and 26. 
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SUMMARY 



In summary, Appellant respectfully requests reversal ofthe May 3, 2005 Office Action 
rejection of claims 1-4, 9 ami 13-29. 

Respectfully submitted, 



Dated: 0 ^ / to/ f 

Schmciscr, Olsen & Watts 
3 Lear Jet Lane - Suite 201 
Lath fun, Now York 12110 
(518) 220-1 S50 




Attorney For Appellant 
Registration No. 44,688 
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Filed: 05/08/2001 Examiner: Pcrungavoor, Venkatanaray 

Serial No.: 09/851,286 

Title: METHOD OF OPERATING AN INTRUSION DETECTION SYSTEM 
ACCORDING TO A SET OF BUSINESS RULES 



Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 



APPENDIX A - CLAIMS ON APPEAL 



1 . A method of operating an intrusion detection system for detecting an intrusion of a protected 
network attachment according to at least one business rule, said method comprising the steps of: 
awaiting an occurrence of a next update time of the intrusion detection system, said next 
update time being a time at which at least one validity condition of the at least one business rule 
is checked; 

responsive to the occurrence of the next update time, checking the at least one validity 
condition of the at least one business rule to determine whether a provision of any business rule 
of the at least one business rule is a newly operative provision that has first become operative or 
gone into effect since an occurrence of a last previous update time at which the at least one 
validity condition of the at least one business rule was checked, said newly operative provision 
prescribing an alteration of an intrusion set that the provision applies to; 
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if the checked provision is the newly operative provision that applies to the intrusion set, 
then altering the intrus ion set according to the newly operative provi sion. 



2. The method of claim 1, wherein the validity condition is a temporal validity condition. 



. The method of claim 1 , wherein the validity condition is a network validity condition. 



4. The method of claim 1, wherein the validity condition includes a multiple temporal 
specification, a multiple network-descriptive specification, or a multiple temporal specification 
and a multiple network-descriptive specification. 



9. A method of operating an intrusion detection system according to a set of business rules, 

comprising the steps of: 

awaiting an update time of the intrusion detection system; 

responsive to occurrence of an update time, checking validity conditions of the set of 
business rules to determine whether a provision of any of the set of business rules is a newly 
operative provision; 

for each newly operative provision, checking an intrusion set to determine whether the 
newly operative provision applies to the intrusion set; and 

if the new provision applies to the intrusion set, altering the intrusion set according to the 

newly operative provision. 
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13 , The method of claim 9, wherein the step of altering the intrusion set includes the step of 
altering a signature of the intrusion set. 



14. The method of claim 9, wherein the step of altering the intrusion set includes the step of 
altering a threshold of the intrusion set. 



15. The method of claim 9, wherein the step of altering the intrusion set includes the step of 
altering an action of the intrusion set. 



1 6. The method of claim 9, wherein the step of altering the intrusion set includes the step of 
altering a weight of the intrusion set. 



17. The method of claim 9, wherein the update time is a scheduled time. 



1 8. The method of claim 9, wherein the update time is one of a plurality of update times that 
occur substantially periodically. 



19. The method of claim 9, wherein the update time is a computed update time. 



21). The method of claim I, wherein the at least one business rule consists of exactly one 



business rule. 
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2 1 . The method of claim 1 , wherein the at least one business rule consists of a plurality of 



business rules. 



22. The method of claim 1, wherein the protected network attachment comprises a computer, a 
server, a workstation, or a combination thereof. 



23, The method of claim 1 , wherein the next update lime is a scheduled time. 



24. The method of claim 1 , wherein the next update time is one update time of a plurality of 
update times that occur substantially periodically. 



25. The method of claim 1, wherein the next update time is a computed update tune. 



26. The method of claim 1, wherein the step of altering the intrusion set includes the step of 
altering a signature of the intrusion set. 



27. The method of claim 1 , wherein the step of altering the intrusion set includes the step of 
altering a threshold of the intrusion set. 



28. The method of claim 1 , wherein the step of altering the intrusion set includes the step of 
altering an action of the intrusion set. 
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29. The method of claim 1. wherein the step of altering the intrusion set includes the step of 
altering a weight of the intrusion set. 
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APPENDIX B - EVIDENCE 



There is no evidence entered by the Examiner and relied upon by Appellant in this appeal. 
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APPENDIX C - RELATED PROCEEDINGS 

There are no proceedings identified in the "Related Appeals and Interferences" section. 
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